PatchSiren cyber security CVE debrief
CVE-2026-45342 Kovah CVE debrief
LinkAce versions prior to 2.5.6 contain an Insecure Direct Object Reference (IDOR) vulnerability in the authorization policy layer. The flaw allows any authenticated user to modify resources owned by other users, including links, lists, tags, and notes. Both the web interface and REST API are affected. The root cause is in the update() methods of LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy, which delegate to access-check methods that return true for any resource with non-private visibility regardless of ownership. This contrasts with the delete() methods in the same files, which correctly enforce ownership via $link->user->is($user). The API layer's AuthorizesUserApiActions::userCanUpdateModel() mirrors the broken visibility-only check, while userCanDeleteModel() uses proper ownership verification. Bulk edit operations via BulkEditController are also vulnerable. The vulnerability was published on 2026-05-28 and is fixed in version 2.5.6.
- Vendor
- Kovah
- Product
- LinkAce
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running self-hosted LinkAce instances prior to 2.5.6; security teams monitoring for IDOR vulnerabilities in Laravel applications; LinkAce administrators with multi-user deployments where resource visibility settings include public or internal options
Technical summary
The vulnerability exists in the update() methods of four Laravel policy classes (LinkPolicy, LinkListPolicy, TagPolicy, NotePolicy). Each delegates to visibility-based access checks (userCanAccessLink() and equivalents) rather than ownership verification. For public and internal resources, these checks return true for any authenticated user. The API trait AuthorizesUserApiActions contains parallel flawed logic in userCanUpdateModel(). The delete() methods demonstrate the intended security model: $resource->user->is($user) ownership checks. BulkEditController's mass operations inherit the same authorization weakness. The fix in 2.5.6 aligns update authorization with delete authorization, requiring resource ownership for modification operations.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade LinkAce to version 2.5.6 or later to remediate the authorization bypass
- Review access logs for unauthorized modifications to links, lists, tags, or notes by non-owner users
- Audit user accounts for suspicious bulk edit operations via BulkEditController
- Implement additional authorization controls at the application layer as defense in depth
- Monitor for anomalous API usage patterns targeting update endpoints for resources not owned by the requesting user
Evidence notes
Vulnerability description confirms IDOR in policy layer affecting update operations across four resource types. CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N indicates network attack, low complexity, low privileges required, no user interaction, with high integrity impact. CWE-639 (Authorization Bypass Through User-Controlled Key) identified as primary weakness. Fix version 2.5.6 explicitly stated.
Official resources
-
CVE-2026-45342 CVE record
CVE.org
-
CVE-2026-45342 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28T22:17:00.227Z